<html>
    <head>
        <meta charset="utf-8" />
        <title>CSP</title>
        <meta http-equiv="Content-Security-Policy" content="default-src http: https">
    </head>
    <body>
        <script>
            console.log('hello world!!!');    
        </script>
        <script src="/script.js"></script>
    </body>
</html>